def test_encrypt_decrypt(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset('java', key_template) supported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in supported_langs ] self.assertNotEmpty(supported_daeads) unsupported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] plaintext = (b'This is some plaintext message to be encrypted using ' b'key_template %s.' % key_template_name.encode('utf8')) associated_data = (b'Some associated data for %s.' % key_template_name.encode('utf8')) ciphertext = None for p in supported_daeads: if ciphertext: self.assertEqual( ciphertext, p.encrypt_deterministically(plaintext, associated_data)) else: ciphertext = p.encrypt_deterministically( plaintext, associated_data) for p2 in supported_daeads: output = p2.decrypt_deterministically(ciphertext, associated_data) self.assertEqual(output, plaintext) for p2 in unsupported_daeads: with self.assertRaises(tink.TinkError): p2.decrypt_deterministically(ciphertext, associated_data) for p in unsupported_daeads: with self.assertRaises(tink.TinkError): p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_inc_version_daead(self, key_template_name, lang): """Increments the key version by one and checks they can't be used.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) p = testing_servers.deterministic_aead(lang, keyset) _ = p.encrypt_deterministically(b'foo', b'bar') for keyset1 in gen_inc_versions(keyset): daead_primitive = testing_servers.deterministic_aead(lang, keyset1) with self.assertRaises(tink.TinkError): _ = daead_primitive.encrypt_deterministically(b'foo', b'bar')
def test_daead_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to use a DAEAD primitive.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) p = testing_servers.deterministic_aead(lang, keyset) ciphertext = p.encrypt_deterministically(b'foo', b'bar') daead_without_primary = testing_servers.deterministic_aead( lang, unset_primary(keyset)) with self.assertRaises(tink.TinkError): _ = daead_without_primary.encrypt_deterministically(b'foo', b'bar') with self.assertRaises(tink.TinkError): _ = daead_without_primary.decrypt_deterministically( ciphertext, b'bar')
def test_encrypt_decrypt(self, key_template_name): supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[ key_template_name] self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the keyset. keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in supported_langs ] self.assertNotEmpty(supported_daeads) unsupported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] plaintext = (b'This is some plaintext message to be encrypted using ' b'key_template %s.' % key_template_name.encode('utf8')) associated_data = (b'Some associated data for %s.' % key_template_name.encode('utf8')) ciphertext = None for p in supported_daeads: if ciphertext: self.assertEqual( ciphertext, p.encrypt_deterministically(plaintext, associated_data)) else: ciphertext = p.encrypt_deterministically( plaintext, associated_data) for p2 in supported_daeads: output = p2.decrypt_deterministically(ciphertext, associated_data) self.assertEqual(output, plaintext) for p2 in unsupported_daeads: with self.assertRaises( tink.TinkError, msg='Language %s supports decrypt_deterministically with %s ' 'unexpectedly' % (p2.lang, key_template_name)): p2.decrypt_deterministically(ciphertext, associated_data) for p in unsupported_daeads: with self.assertRaises( tink.TinkError, msg='Language %s supports encrypt_deterministically with %s ' 'unexpectedly' % (p.lang, key_template_name)): p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_daead(self, lang): keyset = testing_servers.new_keyset( lang, daead.deterministic_aead_key_templates.AES256_SIV) plaintext = b'The quick brown fox jumps over the lazy dog' associated_data = b'associated_data' daead_primitive = testing_servers.deterministic_aead(lang, keyset) ciphertext = daead_primitive.encrypt_deterministically( plaintext, associated_data) output = daead_primitive.decrypt_deterministically( ciphertext, associated_data) self.assertEqual(output, plaintext) with self.assertRaises(tink.TinkError): daead_primitive.decrypt_deterministically(b'foo', associated_data)
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl, new_key_tmpl): # Do a key rotation from an old key generated from old_key_tmpl to a new # key generated from new_key_tmpl. Encryption and decryption are done # in languages enc_lang and dec_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(old_key_tmpl) builder.set_primary_key(older_key_id) enc_daead1 = testing_servers.deterministic_aead( enc_lang, builder.keyset()) dec_daead1 = testing_servers.deterministic_aead( dec_lang, builder.keyset()) newer_key_id = builder.add_new_key(new_key_tmpl) enc_daead2 = testing_servers.deterministic_aead( enc_lang, builder.keyset()) dec_daead2 = testing_servers.deterministic_aead( dec_lang, builder.keyset()) builder.set_primary_key(newer_key_id) enc_daead3 = testing_servers.deterministic_aead( enc_lang, builder.keyset()) dec_daead3 = testing_servers.deterministic_aead( dec_lang, builder.keyset()) builder.disable_key(older_key_id) enc_daead4 = testing_servers.deterministic_aead( enc_lang, builder.keyset()) dec_daead4 = testing_servers.deterministic_aead( dec_lang, builder.keyset()) self.assertNotEqual(older_key_id, newer_key_id) # 1 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. ciphertext1 = enc_daead1.encrypt_deterministically(b'plaintext', b'ad') self.assertEqual( dec_daead1.decrypt_deterministically(ciphertext1, b'ad'), b'plaintext') self.assertEqual( dec_daead2.decrypt_deterministically(ciphertext1, b'ad'), b'plaintext') self.assertEqual( dec_daead3.decrypt_deterministically(ciphertext1, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec_daead4.decrypt_deterministically(ciphertext1, b'ad') # 2 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. ciphertext2 = enc_daead2.encrypt_deterministically(b'plaintext', b'ad') self.assertEqual( dec_daead1.decrypt_deterministically(ciphertext2, b'ad'), b'plaintext') self.assertEqual( dec_daead2.decrypt_deterministically(ciphertext2, b'ad'), b'plaintext') self.assertEqual( dec_daead3.decrypt_deterministically(ciphertext2, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec_daead4.decrypt_deterministically(ciphertext2, b'ad') # 3 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext3 = enc_daead3.encrypt_deterministically(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = dec_daead1.decrypt_deterministically(ciphertext3, b'ad') self.assertEqual( dec_daead2.decrypt_deterministically(ciphertext3, b'ad'), b'plaintext') self.assertEqual( dec_daead3.decrypt_deterministically(ciphertext3, b'ad'), b'plaintext') self.assertEqual( dec_daead4.decrypt_deterministically(ciphertext3, b'ad'), b'plaintext') # 4 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext4 = enc_daead4.encrypt_deterministically(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = dec_daead1.decrypt_deterministically(ciphertext4, b'ad') self.assertEqual( dec_daead2.decrypt_deterministically(ciphertext4, b'ad'), b'plaintext') self.assertEqual( dec_daead3.decrypt_deterministically(ciphertext4, b'ad'), b'plaintext') self.assertEqual( dec_daead4.decrypt_deterministically(ciphertext4, b'ad'), b'plaintext')